Do You Know the Difference Between Risk Tolerance and Risk Appetite?

Just what is risk appetite and how does it differ from risk tolerance?

Risk Appetite vs Risk Tolerance

How can we have a productive conversation about risk management unless we use the same language? One of the terms that serves as much to confuse as to clarify is “risk appetite.” What does it mean, and how does it differ from risk tolerance?

An entity should also consider its risk tolerances, which are levels of variation the entity is willing to accept around specific objectives. Frequently, the terms risk appetite and risk tolerance are used interchangeably, although they represent related, but different concepts. Risk appetite is a broad-based description of the desired level of risk that an entity will take in pursuit of its mission. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.

They continue:

So to determine risk tolerances, an entity needs to look at outcome measures of its key objectives, such as revenue growth, market share, customer satisfaction, or earnings per share, and consider what range of outcomes above and below the target would be acceptable. For example, an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.”

Does this work? To a degree, perhaps. The way I look at it, risk appetite or tolerance are devices I use to determine whether the risk level is acceptable or not. I want to make sure I take enough, as well as ensure I am not taking too much. This is all within the context of achieving the organization’s objectives.

In other words, these are risk criteria: criteria for assessing whether the risk level is OK or not. Before progressing to see how ISO 31000 tackles the topic, I want to stop and see what one of the major auditing/consulting organizations has to say.

Ernst & Young's Perspective of Risk Appetite vs Tolerance

Risk capacity: the amount and type of risk an organization is able to support in pursuit of its business objectives.

Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its business objectives.

Risk tolerance: the specific maximum risk that an organization is willing to take regarding each relevant risk.

Risk target: the optimal level of risk that an organization wants to take in pursuit of a specific business goal.

Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding risk limits will typically act as a trigger for management action.

There are similarities to the COSO ERM definitions, with both using appetite for the organization’s overall acceptable level of risk, and tolerance to describe risk at a lower, more granular level. Personally, I find the EY examples and usage a little better than the COSO one -- the idea of a variance from objectives is not appealing and I am not confident it is very practical.

Acceptable Risk -- Criteria

Coming back to the idea of risk criteria. One common practice is for risk managers (and consultants, vendors, etc) to talk about risk as being high, medium, low, etc; another is to quantify it in some way, often in monetary terms. (Just think of a typical heat map.) But, just because a risk is considered “high” doesn’t necessarily mean that it is too high. Similarly, just because a risk is “low” doesn’t mean that the risk level is desirable.

Think about somebody in one of the Libyan cities being shelled this week. They are considering whether to stay or leave the city, and then whether to go to family in Tripoli or try to get across the border into Egypt. All of the options, including doing nothing, are high risk -- but they need to take one.

Maybe that is an extreme example. COSO talks about balancing risk and reward, and the notion that you need to take risks -- even high ones -- in order to obtain rewards. An example of this could be a decision to enter a new market. The risks may be high, but the rewards justify taking them.

Exploring that example a little more, there may be several options for entering the market: slowly dipping the toe in, going full blast or partnering with a company that already has a major presence. If you just look at the level of risk without considering the rewards that can be obtained from each option, you may make a poor decision.

Where am I going? To assess whether a risk level is acceptable or not, it is not enough to say it is high, medium, $5 million, etc. You have to say whether it is acceptable given the potential rewards by reference to your risk criteria. This is where, for me, appetite and tolerance play -- and risk target, as explained by EY.

So, to ISO. Here are a few definitions from ISO Guide 73, Risk Management - Vocabulary.

Risk attitude: organization's approach to assess and eventually pursue, retain, take or turn away from risk

Level of risk: magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood

Risk criteria: terms of reference against which the significance of a risk is evaluated

Risk evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable

Risk appetite: amount and type of risk that an organization is willing to pursue or retain

Risk tolerance: organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives

It is worth noting that the ISO 31000:2009 standard doesn’t use all these terms. Rather than getting into a detailed discussion around risk appetite and tolerance, the standard says you should establish risk criteria and then evaluate risks against those criteria to determine which risks need treatment.

Frankly, I would prefer more detailed guidance on this, as the decision on how much risk to take is the key to effective risk management. But, we will have to wait for more practical guidance from ISO and its national organizations.

My Take on Risk Appetite/Tolerance

Here’s my view. I like and use the ISO definitions (from Publication 73) I listed above. Companies have to take risk to make a profit, or deliver value to their stakeholders. They level of risk they pursue is their appetite for risk. But they may be able to tolerate, or absorb, a different level of risk without significant pain and impact on achieving their strategic objectives. This is their tolerance.

A colleague with IIA Canada, Eric Lavoie, shared with me a model he has used with one of his financial services clients. My representation is shown below.

Risk appetite is represented by a range. When risk levels fall outside that range, performance is sub-optimal. When risk levels exceed the organization’s risk tolerance, it becomes more critical to take action.

About the Author

Norman Marks, CPA, is Vice President, Governance, Risk, and Compliance (GRC) at SAP BusinessObjects, where he is an evangelist for the GRC market and SAP’s related software. A chief audit executive of major global corporations for over 15 years, and a recognized thought leader in the profession of internal auditing, Norman is an active member of the Institute of Internal Auditors. He led the development of IIA responses to proposed rules by the PCAOB and SEC, is the editor of the Corporate Governance column in the IIA’s Internal Auditor magazine, a member of the review boards of several audit and risk management publications, a frequent speaker internationally, the author of several award-winning articles, and blogs for the IIA about internal audit, risk management, governance and compliance.

SMG/CMSWire is a leading, native digital publication produced by Simpler Media Group, Inc. We provide articles, research and events for sophisticated professionals driving digital customer experience strategy, evolving the digital workplace and creating intelligent information management practices. The CMSWire team produces 400+ authoritative articles per quarter for our 2.7 million community members. Join us as a subscriber.